FAQS

SSL Certificate FAQs

This Comodo SSL Certificate FAQs section provides answers to questions such as How to choose, order, install, and manage SSL certificates., If you are new and unfamiliar with SSL security, then these FAQs will give you guidance.

Domain Validated (DV) SSL Certificates deliver the easiest & quickest solution to secure a domain since only the domain name is verified during the validation process. Anyone who can demonstrate control of a registered domain can get this SSL security within minutes of ordering. DV certificates are suitable for small or start-up businesses.

To receive an Organization Validated (OV) SSL certificate the customer must demonstrate control of a registered domain and provide certain pieces of company information that Comodo can verify using third-party sources. The OV certificate is a good solution for business sites to increase user trust as the certificate certifies and displays company information to prove ownership of the website.

An Extended Validation (EV) certificate is the premium SSL certificate. It provides great assurance to customers by providing the Green Bar within the browser URL window, which is a global symbol of trust. Extended Validation (EV) SSL certificates provide a secure connection and provide visible proof to establish business identity validation.

To have an EV SSL Certificate you must demonstrate that your business is an official company registered with a government authority. You cannot qualify for any EV SSL Certificate if you are a Sole Proprietor or a Partnership registered in the U.K.

A Wildcard SSL Certificate secures a single main domain (domain.com) and an unlimited number of subdomains (mail.domain.com, blog.domain.com, login.domain.com etc.) A wildcard SSL certificate is annotated with an asterisk, as in *.domain.com.

Multi Domain or SAN (Subject Alternative Names) certificates protects multiple domain names with a single certificate (domain.com, example.net, website.org etc). The Comodo multi-domain certificates can cover up to 250 domains with just one certificate.

A wildcard SSL certificate secures a single domain (domain.com) and an unlimited number of sub-domains at a specific level. A multi-domain (SAN) certificate protects multiple domain names (domain.com, newdomain.org, otherdomain.com) under one certificate. You can add/edit/ or delete SANs throughout the life cycle of your multi-domain certificate.

A multi-domain wildcard SSL certificate combines the features of a wildcard SSL certificate and a multi-domain certificate into one. It is designed to secure unlimited subdomains under multiple domains. During generation, the Common Name has to be a regular domain (www.domain.com) and the SAN fields can be your wildcard entries.

1024 and 2048 bit key size or key length refers to the strength of the private key used in a cryptographic algorithm. 2048-bit keys are more secure than 1024-bit key size. 2048 keys are based on new latest industry standard.

SHA stands for Signature Hashing Algorithm which is used by the Certificate Authority to sign a certificate. SHA-1 is an older version of the algorithm and produce a 160-bit (20-byte) hash value. SHA-2 is the current hashing algorithm standard.

Certificate Authority (CA) is an entity that is authorized to issue and manage digital certificates. Comodo is one of the most popular and leading CAs. We are resellers of Comodo digital certificates. We buy SSL Certificates in bulk from Comodo and pass along the savings to you. We also provide industry leading technical support 24/7.

Recently, Comodo positioned itself as the leading SSL Certificate with a 33.6% market share & 6.6% usage. Additionally, all certificates from Comodo are available at affordable price with guaranteed high security.

SSL Certificate Warranty provides protection if your SSL is misused, hacked or met to a data breach due to flaws in the certificate. Comodo offers different types of SSL with different warranty like $10,000, $25,000, $100,000, $1,750,000 etc.

Comodo SSL Certificates are offered from 1-2 years, depending on which certificate is ordered. Comodo's EV certificate can be issued for a maximum 2 years and DV & OV Certificate can be obtained for up to 2 years.

Internal domains can be secured through SSL but it must be an official registered domain (a publicly available FQDN). SSL certificates will not be issued for internal domains if it is not a registered or delegated domain.

The main difference is the key length after establishing an SSL connection in the browser. But practical purpose, 128 bit security is enough to ensure security. The only reason 256-bit security is needed is if it's specifically required by your industry or company policy.

A Unified Communications Certificate (UCC) is exclusively developed to protect MS Exchange Server 2007, Office Communications Server 2007, and Live Communications Server 2005. A single UCC SSL enables you to secure communication for multiple domains and host names on a single IP address. The certificate is best suitable to protect both internal network names as well as external domain names.

Order Processing

A private key is essential for your SSL certificate to work and it must remain private to avoid any man-in-the-middle-attacks. Only your hosting company can see the private key to install SSL on the server.

If you are looking to obtain your SSL certificate quickly; you can do it by contacting to your SSL certificate provider. Only the SSL provider can help you to make your order as top priority by using their close & direct connections with the CA.

The Organization validation SSL Certificate requires true identity of the business. So, you need to provide all accurate documents related to your company. Before asking any documents from you, Certificate Authority (CA) verify the organization through online government database. In case of inaccurate, incomplete, out of date business information, CA may request additional official government registration documents, which vary on a case-by-case basis.

Extended Validation (EV) SSL Certificate require strict verification. This certificate requires additional steps to have this certificate; you have to provide true organization verification, domain authentication, operational as well as the physical presence of the website owner for a simple telephone call by the Certificate Authority to complete the process.

There are two different types of Code signing available, code signing for individual or for an organization. You can have a code signing certificate by fulfilling all requirements of OV certificate. But, if you want to get a code signing for an individual, you need to complete a simple form to verify your identity. This form has to be notarized by a lawyer, CPA, or public notary, a scan of a government issued ID and you may also ask to provide additional documents by the Certificate Authority as need.

There may be few reasons behind not receiving the Domain Control Validation (DCV). Check your order to make sure you entered the correct email address, without any typos. Also, check your spam or junk mail folders for the DCV email. You can request a change to your DCV email address; you can choose the registrant email address contained in the domain's who.is registration or one of the following file authorized alias email addresses at your domain:

Upload the authentication file to the correct directory. If file is viewable for both yourdomain.com/file and subdomain.yourdomain.com/file, it means you have successfully uploaded your file to the appropriate directory.

In case you missed the phone verification call and want to reschedule, just contact your SSL provider and tell them your availability. Make sure that the phone number you have provided is verified by the Certificate Authority.

It depends on the type of certificate and the validation process of the Certificate Authority. Domain Validated (DV) Certificate can take a few minutes to a business day, Organization Validated (OV) Certificate can be issued within 2-3 days to be issued and Extended Validation (EV) Certificate usually take around 3-5 business days to be issued.

We highly recommend to send a validation document to your SSL provider because they have a list of email address or contact information for the Certificate Authority. They will submit your documents as per your region and type of SSL certificate you purchased.

Certificate Authority review your SSL time-to-time and a failed security review may show; but it does not mean that your SSL got something wrong or invalid. Whenever you see that kind of review, just contact to your SSL provider who can work to resolve the issue for you by contacting the CA.

Once you complete validation, certificate authority will send the certificate to the technical contact email address that you provided in your order. In case you didn't receive it, check your spam or junk folder of the email folder. You can also download your issued certificate in your storefront account.

You can re-install your 'Private Key' using your backup with the help of your system administrator. In case you don't have a backup, contact your web server software vendor for technical support. The last alternative is re-issuance of the certificate following the re-submitting of a replacement CSR.

You can generate a CSR through your web server software; but before generate a CSR consult your official documentations for server, control panel and operating system which you can get through Google search.

Confirm that you have copied the correct file along with the complete header and footer lines to include all the hyphens, and be sure it is not your previous SSL or self-signed certificate or if it is bundled as a PKCS7 or PKCS12. Or, you could have a password that does not have alphanumeric characters or disallowed characters. If this is the case, you will require to generate a new CSR without the disallowed characters in the password. Keep in mind to use the English alphabet and numbers 0-9 but no special characters.

You may see a CSR invalid error during the certificate activation process due to incorrect format for your certificate and also may be using disallowed characters in the other filed. In this case, you need to generate a new CSR using only the English alphabet and numbers 0-9 and do not use any special characters.

A private key is important for SSL installation and it should be kept privately on your server. You should not expose it to your SSL provider or other users. Sometimes your web hosting company may ask for your private key to create an SSL secure connection, then you may share it with the only web host. In case, if you lost or deleted your Private Key, then you must generate a new CSR on your server because any Certificate Authority or SSL Provider doesn't provide private key.

You can move your SSL certificate to a different server, you need your private key on the active certificate. But, if you don't have your private key then you will have to reissue the certificate with new CSR.

Certificate Authority (CA) does not provide direct technical support, you have to contact to your SSL provider. Your SSL provider is able to provide support for any technical issue that you are facing. However, you can contact the CA directly for questions and support related to the actual validation process of the SSL certificate.

There are two ways to install SSL certificate on more than one server. First, import the certificate, private key and intermediate files on server #2, #3 etc. Another way is to generate a new CSR and private key on server #2, #03 etc and reissue the active certificate.

If visitor's browser unable to identify the certificate or the certificate is outdated or incorrect, then your visitors may face this error message. To solve the issue, first make your visitors are seeing the correct certificate. In case, your visitors seeing the correct certificate, then you can solve this issue by installing the intermediate certificates.

There may be several reasons behind not showing the green bar or green padlock, check out the most common reason below -

The issued certificate may be with the SHA-1 hash algorithm. And now browsers trust on the SHA-2 so you need to reissue the certificate with the SHA-2 hash algorithm.

If your HTML elements of the site are linked with http then it may be seen as insecure content and need to update via your system administrator.

Your certificate is issued from an intermediate file and if missing or invalid is, then the green padlock may not show. Make sure that you have installed this alongside your certificate on your server. Your SSL provider can provide this file if you don't have.

In case of incorrect certificate. If you installed an old expired certificate or a certificate provided by your hosting company or a self-signed certificate on the site. You will need to identify the source of the incorrect certificate and contact that party to resolve the issue.

In reality, there may be several reasons behind this sort of error message, some may be related to the certificate or some may be not. So, it will be better to get solution of the error message; just click on detail to get more specific information about the message. Then, tell us; we'll help you to remove this error message.

There may be some specific reasons, when your the common name in the certificate and URL in the browser are not EXACT match, when www. is missing in the browser or domain in the certificate, if the web host's certificate is incorrectly assigned to your domain name and sometimes it also happens if you purchased a certificate which not cover the specific subdomain that you are looking at.

Renewals

A renewal is similar to purchase a new SSL Certificate. In the industry, 'Renewal' is used as a term by all SSL providers. Further, if you go for "renewal" the remaining time on your existing certificate will be rolled over to your new renewal certificate.

When you renew a certificate, you can use original CSR but this CSR uses the same exact private key which may be a drawback of security. So, we highly recommend to generate a new CSR to renew a certificate.

It depends of the type of certificate. Usually, Certificate Authority may use your previous documents to renew process for some certificate, but in case if any information of the organization has changed then you need to submit your new documents again. In case of an EV SSL order, you are required to complete full business validation again if the certificate validated more than 13 months. For OV SSL, you can reuse the previous information up to 27 months from the original order.

When you paid for your renewal and completed all process of the order, then look at your account or email address to generate or apply for your new order. Once you have generated a certificate, make sure that your new certificate was issued and then installed in place of the old expiring certificate.

If you have completed a renewal process and installed, but sill displaying the old certificate, then the issue may be with the configuration. To resolve this issue, just restart your webserver (http server) also to uninstall/delete the incorrect/old certificate(s).

Code Signing

Code signing certificate is a digitally signed certificate that used to prove that the code has not been altered or corrupted since it was signed by the author. You can sign many different types of codes including .exe, .cab, .dll, .ocx, and .xpi files.

If you want to use in-browser control provided by the Certificate Authority, you must use Firefox as the default browser in order to generate a code signing certificate. The browser is essential because if the browser is not used properly, then you may receive an error message. If you use Firefox as default browser than you will be able to automatically generate the CSR and store the private key within Firefox's file system and this will be due to in-browser controls. This unique private key will automatically be pulled by the corresponding certificate during the installation/download process.

As you finish the validation process, the CA will send a 'collection' or 'pick-up' link to the verified email address. Follow the link and download the certificate using the same computer and the same Firefox browser which generated the order. Firefox will pull the previous stored private key automatically and install the code signing certificate. Export the code signing certificate and private key from the browser into a PFX (.p12) file when the downloading has finished.

You may face trouble to download the code signing certificate and this may happen due to several different reasons. First, if Firefox is not default browser or if you are not using browser properly, then you will receive an error message. Second, if you are not using the same PC which generated the order, in this case if you use a different PC than the corresponding private key will be missed and you will not able to download code signing certificate.

The most common platforms are Microsoft, JAVA, Adobe, etc… The platform is used by developers to sign their applications using specific tools. Each platform is different, so please reference official instructions for your particular platform.

Customer experience is the first and foremost priority for us. Nothing is more important to us than seeing HAPPY customers and listening to their experiences. That is why our refund rate is almost nil. We don't want to leave any stone unturned to enhance your experience. Hence, we offer unparalleled 30 Days Money Back Guarantee just to be sure. Check out our Refund Policy to know more.